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Abstract 

A  guessing  attack  on  a  security  protocol  is  an  attack 
where  an  attacker  guesses  a  poorly  chosen  secret  (usu¬ 
ally  a  low-entropy  user  password)  and  then  seeks  to  ver¬ 
ify  that  guess  using  other  information.  Past  efforts  to 
address  guessing  attacks  in  terms  of  design  or  analysis 
considered  only  protocols  executed  in  isolation.  How¬ 
ever,  security  protocols  are  rarely  executed  in  isolation 
and  reality  is  always  a  case  of  mixed-protocols.  In  this 
paper,  we  introduce  new  types  of  attacks  called  multi¬ 
protocol  guessing  attacks,  which  can  exist  when  proto¬ 
cols  are  mixed.  We  then  develop  a  systematic  procedure 
to  analyze  protocols  subject  to  guessing  attacks.  Using 
this  procedure,  we  will  present  a  method  of  deriving  some 
syntactic  conditions  to  be  followed  in  order  for  a  proto¬ 
col  to  be  secure  against  multi-protocol  guessing  attacks. 
Lastly,  we  use  the  strand  space  framework  to  prove  that 
a  protocol  will  remain  secure,  given  that  these  condi¬ 
tions  are  followed,  by  modeling  the  conditions  within 
the  strand  space  framework.  We  illustrate  these  con¬ 
cepts  using  the  Mellovin  and  Berritt  protocol  (EKE)  as 
an  example. 

1.  Introduction 

Since  people  tend  to  choose  poor  passwords  [17],  secu¬ 
rity  protocols  using  them  are  vulnerable  to  guessing  at¬ 
tacks  [9].  As  an  example,  consider  the  following  simple 
protocol: 


Msg  1.  a  - 

a  s  :  a 

Msg  2.  s  - 

a  a  :  ns 

Msg  3.  a  - 

a  S  .  \jl s}passwd(a,s ) 

Here,  user  a  aims  to  authenticate  itself  to  server  s. 
(ns  is  a  nonce.  {m}k  represents  m  encrypted  with  key 

k). _ 

‘This  work  was  funded  in  part  by  DARPA  under  grant  no. 
MDA972-00- 1-0001 . 


Now  an  attacker  observing  these  communications  can 
mount  a  guessing  attack  by  guessing  the  user’s  pass¬ 
word.  For  example,  if  the  user  is  one  of  the  authors  of 
this  paper,  then  he  might  guess  “alwaysalves”  as  the 
password.  He  can  then  do  {ns}aiwaysaives  and  compare 
it  with  message  3  that  he  obtained  ({ns}Passuid(a,s))- 
A  successful  comparison  indicates  with  high  probabil¬ 
ity  that  this  might  be  the  user’s  password. 

Past  efforts  to  address  guessing  atacks  in  terms  of 
design  [9]  or  analysis  [15]  focussed  only  on  protocols 
executing  in  isolation.  However,  security  protocols  are 
rarely  executed  in  an  isolated  environment,  without  in¬ 
teraction  from  other  protocols.  Some  of  the  main  rea¬ 
sons  for  “mixed”  operation  of  protocols  include: 

•  deliberate  use  of  sub-protocols  such  as  Kerberos, 
Neuman-Stubblebine  etc.  [13,  18],  which  use  those 
sub-protocols  for  re-authentication,  or 

•  protocols  having  different  options  and  hence  multi¬ 
ple  sub-protocols  [5,  12,  16]  or 

•  accidental  execution  of  different  protocols  on  the 
user’s  machine  (many  times  with  the  same  par¬ 
ties,  through  the  same  communication  channels  and 
having  the  same  message  formats  and/or  keying 
material) . 

Together  with  these,  re-using  the  same  keying  ma¬ 
terial  (due  to  the  high  cost  of  certified  keys),  multiple 
uses  of  keying  formats  and  keys  (due  to  the  widespread 
use  of  cryptographic  APIs)  and  using  the  same  pass¬ 
word  for  different  applications  (which  is  a  commonly  ob¬ 
served  characteristic  of  human  chosen  passwords),  make 
a  mixed  environment,  hostile  for  protocols. 

Hence,  the  interesting  questions  to  ask  are, 

•  can  mixing  of  two  protocols  result  in  new  attacks 
that  were  not  known  to  exist  when  either  of  them 
executes  in  isolation? 
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•  each  of  the  protocols  may  be  easy  to  analyze  in¬ 
dependently.  But,  how  should  we  analyze  them 
when  they  are  operating  in  a  varying,  mixed  en¬ 
vironment? 

•  what  are  the  conditions  (if  there  exist  any)  under 
which  a  protocol  can  operate  securely,  without  fear 
of  being  attacked  by  mixing  information  from  other 
protocols? 

In  this  paper  we  introduce  new  attacks  called  “multi¬ 
protocol  guessing  attacks”  which  are  guessing  attacks 
that  are  launched  when  protocols  are  mixed.  Firstly,  we 
will  present  a  background  and  motivation,  together  with 
some  examples  of  multi-protocol  guessing  attacks  in  sec¬ 
tion  2.  Next,  we  will  give  an  overview  of  strand  space 
framework  and  present  a  systematic  procedure  to  anal¬ 
yse  a  protocol  for  guessing  attacks  (section  3).  We  will 
then  use  this  procedure  to  derive  some  syntactic  condi¬ 
tions  under  which,  a  protocol  can  remain  secure  against 
guessing  attacks  even  in  a  mixed  environment.  We  will 
model  these  conditions  within  the  strand  space  frame¬ 
work  and  prove  that,  as  long  as  these  conditions  are 
satisfied,  a  protocol  cannot  be  attacked  through  multi¬ 
protocol  guessing  attacks  (section  4) .  We  sum  up  with  a 
conclusion  and  some  possible  extensions  for  future  work 
in  section  5. 

2.  Background 

In  [1,  2,  3]  we  have  presented  multi-protocol  attacks  on 
security  protocols  which  can  exist  on  interleaved  proto¬ 
cols.  We  have  also  suggested  some  techniques  that  must 
be  adopted  for  a  protocol  to  remain  secure  in  a  mixed 
environment.  Subsequently,  Guttman  et.  al  [11]  proved 
a  useful  result,  that  protocols  are  independent  if  they 
use  disjoint  encryption — one  of  our  suggestions  earlier 
to  resist  multi-protocol  attacks.  Thus,  Guttman  et.  al 
virtually  buried  the  threat  of  multi-protocol  attacks. 

In  this  paper,  we  revive  multi-protocol  attacks,  but 
this  time  considering  them  in  the  context  of  guessing 
attacks  on  protocols  with  weak  secrets.  We  name  these 
newly  found  attacks  as  multi-protocol  guessing  attacks. 

The  result  by  Guttman  et.  al  in  [11]  cannot  always 
be  applied  to  multi-protocol  guessing  attacks.  This 
is  because,  unlike  all  other  attacks  including  multi¬ 
protocol  attacks,  guessing  attacks  can  be  launched  en¬ 
tirely  off-line,  with  mere  eavesdropping  (without  block¬ 
ing  or  modifying  the  messages)  and  even  without  finish¬ 
ing  any  protocol  run. 

Most  importantly  as  we  will  illustrate,  they  can  be 
launched  without  replaying  messages.  Since  Guttman 
et.  al’s  result  is  result  is  based  on  showing  that  all  in¬ 
bound  linking  paths  (messages  from  other  protocols  into 
the  primary  protocol)  can  be  removed,  it  doesn’t  apply 
for  attacks  that  can  be  launched  using  mixed  protocols 
where  there  are  no  inbound  linking  paths. 


We  will  illustrate  how  multi-protocol  guessing  attacks 
can  be  launched  the  using  EKE  protocol.  Firstly,  we 
make  two  assumptions  about  the  guessing  attacks  we 
consider  in  this  paper: 

1.  The  passwords  being  guessed  have  low-entropy 
(typically,  chosen  by  humans).  Contrast  this  with 
high-entropy  passwords  such  as  machine-generated, 
where  the  passwords  are  chosen  from  a  large  space, 
making  guessing  infeasible. 

2.  The  verification  of  a  guess  does  not  need  repeated 
on-line  interaction  with  other  parties — typically,  for 
repeated  unsuccessful  attempts,  servers  raise  an 
alarm  and  mount  additional  countermeasures  like 
shutting  down  the  connection  etc.  In  this  paper, 
we  consider  only  those  guessing  attacks  that  can  be 
launched  entirely  off-line,  where  failed  attempts  are 
undetectable. 

Now  consider  the  following  EKE  (Encrypted  Key 
Exchange)  protocol  presented  by  Mellovin  and  Berritt 
in  [4]: 


Msg  1. 

a  - 

■+ b : 

\jP^a\passwd{a,b) 

Msg  2. 

b- 

->  a  : 

}passwd(a,b) 

Msg  3. 

a  - 

-»  s  : 

Msg  4. 

s  - 

->  a  : 

{( na,nb)}k 

Msg  5. 

a  - 

->  s  : 

{nb}k 

Here,  a  and  b  try  to  agree  on  a  shared  session  key 
fc,  with  passwd(a,  b)  representing  the  password  that  a 
shares  with  b  and  pka ,  an  asymmetric  key  of  a.  Lowe  [15] 
analyzed  this  protocol  using  FDR  [14]  and  found  no  at¬ 
tacks. 

Now  consider  another  protocol  presented  in  [9] : 


Msg  1.  a  ->  b  :  {c,n}kl 
Msg  2.  b  >  a  .  {/ (.ln)}passwd(a) 


k  1  is  a’s  public  key,  and  c  is  a  “confounder”  (a  re¬ 
dundant  random  number)  to  prevent  guessing,  n  is  any 
number  and  f  is  a  function  which  is  publicly  known. 
This  protocol  as  well  was  not  known  to  have  any  flaws 
when  executed  in  isolation. 

It  is  interesting  to  ask  if  c  is  really  necessary.  With¬ 
out  c,  a  penetrator  can  guess  passwd(a)  and  decrypt 
message  2.  He  can  then  do  /-1(/(n))  and  encrypt  the 
result  with  k  1.  A  successful  comparison  with  message  1 
(without  c,  just  {n}fci)  would  verify  the  guess. 

Gong  et.  al  [?]  suggest  that  using  c  is  unnecessary  if 
kl  is  unknown —  i.e.  given  that  k  1  is  unknown  to  the 
penetrator  (as  assumed  in  the  EKE  protocol  above),  the 
protocol  is  secure. 

However,  if  the  protocol  is  combined  with  the  EKE 
protocol,  i.e.  in  a  mixed  environment,  the  following 
attack  can  be  visualised: 


2 


Attack  1.  Let  PI  represent  the  first  protocol  (EKE) 
and  P2,  the  second  protocol.  A  penetrator  can  initially 
guess  passwd(a)  in  PI  and  decrypt  message  1  to  obtain 
pka ■  He  can  then  guess  passwd(a)  in  P2  and  get  fin). 
From  this  value  he  can  obtain  ?i  and  encrypt  it  with 
pka  that  he  obtained  from  PI.  Finally  he  can  match 
this  value  with  it’s  recorded  value  in  message  1  of  PK 
to  verify  his  guess. 

Now  consider  another  identification  protocol1  similar 
to  the  one  presented  in  [9]: 


Msg  1. 

a  - 

->  s  :  a,  s 

Msg  2. 

b- 

->  a  :  ns 

Msg  3. 

b- 

->  CL  .  {{tt,  Tls\pVa  ^passwd(a) 

Let  this  protocol  be  represented  as  P3.  Here  user  a 
aims  to  identify  itself  to  server  s  (pva  is  the  private  key 
of  a).  This  protocol  as  well  is  secure,  given  that  the 
corresponding  public  key  of  a  ( pka )  is  unknown  to  the 
penetrator, 

However,  when  it  is  mixed  with  PI  due  to  any  of  the 
reasons  mentioned  in  section  1,  the  following  attack  can 
be  visualised: 

Attack  2.  The  penetrator  can  initially  guess 
passwd(a ,  b)  and  decrypt  mesage  1  in  PI  to  ob¬ 
tain  pka.  He  can  then  guess  passwd(a)  and  decrypt 
message  3  in  P3  to  obtain  {a,ns}pVa.  Finally  he  can 
decrypt  {a,ns}pVa  with  pka  (from  PI)  and  match  ns  in 
it  with  ns  sent  in  message  2  to  verify  his  guess. 

Similar  attacks  can  be  found  on  many  existing  pro¬ 
tocols.  Observe  that  these  attacks  were  possible  even 
though  all  the  protocols,  PI,  P2,  P3  were  otherwise  se¬ 
cure  in  an  isolated  environment.  Also,  none  of  the  at¬ 
tacks  assumed  that  the  user  used  the  same  passwords 
in  each  protocol — Thus,  in  general,  the  effect  when  the 
same  passwords  are  chosen  in  different  protocols  cannot 
be  overstated.  Ofcourse,  both  assumed  that  users  use 
the  same  public  key  in  more  than  one  application,  which 
is  not  unreasonable  to  assume,  given  the  facts  in  section 
1. 


to  contain  in  a  protocol.  When  two  data  items  a  and 
b  are  to  be  concatenated,  we  will  write,  a  .  b  or  (a,  b). 
When  a  data  item  a  is  to  be  encrypted  with  a  key  k,  we 
will  write  {a}*,  and  the  inverse  of  a  k  as,  k~l . 

When  we  talk  about  the  first  or  second  component  in 
a  fact  with  two  components  we  will  use  subscripts  “1” 
and  “2”  as:  =  f  1,  (/l,/2)2  A  /2 

Also,  subfact  relation  C  is  defined  as  the  smallest  re¬ 
lation  on  facts  such  that, 

/!=/;/!=  {/'}*'  iff  /  C  /';  and 
/C(/l,/2)  iff  /C/1V/C/2. 

Definition  1.  A  strand  is  a  sequence  of  communica¬ 
tions  by  any  agent  in  a  protocol  run,  represented  as 
(±/l,  ±/2, . . . ,  ±/n).  Each  node  in  the  set  of  nodes  A f, 
receives  (represented  as  —)  or  transmits  (represented  as 
+)  a  fact  (fi)  and  belongs  to  a  unique  strand. 

1.  An  edge  =>  is  drawn  between  all  consecutive  nodes 
on  the  same  strand. 

2.  An  edge  — >  is  drawn  between  nodes  belonging  to  dif¬ 
ferent  strands,  if  one  node  transmits  a  fact  and  the 
other  node  receives  the  same  fact. 

3.  A  strand  space  E  is  a  directed  graph  with  all  the 
nodes  in  Af  as  vertices  and  (— >  U  =>)  as  edges. 

A  bundle  represents  a  partial  or  complete  history  of 
the  network.  Let  C  be  a  bundle  and  (—>c  U  =>c)  be  a 
finite  set  of  edges.  Then, 

1.  Ifn2  £  Afc  receives  a  fact,  then  there  exists  a  unique 
nl  with  nl  — >  n2. 

2.  If  n2  £  Afc  with  nl  =>  n2, 3  nl  =t>c  n-2; 

3.  C  is  acyclic. 

A  node  n  is  an  entry  point  to  a  set  of  facts  F,  if  there 
is  no  node  previous  to  n  transmitting  a  fact  in  F.  A 
fact  originates  on  n  if  n  is  an  entry  point  to  all  possible 
facts.  A  fact  is  uniquely  originating  in  a  bundle  if  it 
does  not  originate  on  any  other  node  in  the  bundle. 


3.  Strand  Space  Frame  Work 

In  this  section,  we  will  give  an  introduction  to  strand 
space  framework  of  [6,  7,  8].  We  chose  strand  spaces 
since  it  is  a  particularly  suitable  framework  to  derive 
and  demonstrate  the  results  required  in  these  contexts. 

To  start  with,  let  Fact  denote  the  set  of  all  possible 
elements  in  a  protocol2  and  Atom,  the  set  of  atomic 
values  (eg.  Alice,  Bob,  Na,  PubKey(A)  etc.)  assumed 

1  Typically  these  are  protocols  used  by  ATMs  (automatic  teller 
machines) . 

2with  ‘message’  referring  to  the  entire  collection  of  facts  sent 
in  a  protocol  step. 


The  penetrator  is  assumed  to  possess  some  message 
elements,  Mp  and  keys  Kp. 

Definition  2.  A  penetrator  strand  is  one  of  the 
following: 

M  Text  message  (+/)  with  f  £  Mp. 

F  flushing  (-/). 

T  Tee  (-/,+/,+/). 

C  Concatenation  (—fi,— f 2,+ f iff)- 
S  Separation  (~f1f2,+fi,+ f 2)- 

K  Key  ( +k )  with  k  £  Kp. 

E  Encryption  (-k,-f,+{f}k),k  £  KP. 

D  Decryption  (-fc-1,  -{/}*,,  +/),  k  £  KP. 
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A  regular  strand  in  contrast,  is  one  corresponding  to 
an  honest  agent.  An  ideal  captures  all  possible  oper¬ 
ations  of  an  honest  agent  on  a  given  set  using  a  given 
set  of  keys.  In  particular,  a  smallest  k-ideal  for  an  el¬ 
ement  h  €  Fact  using  set  of  keys  k  is  denoted  as  Ik[h\. 
It  consists  of  all  possible  operations  (concatenation  and 
encryption)  between  h  and  all  the  elements  of  Fact. 

Since  we  deal  with  mixed  protocols,  we  use  the  con¬ 
cept  of  mixed  strand  spaces  as  well. 

Definition  3.  A  mixed  strand  space  consits  of  com¬ 
bined  strands  from  different  protocols.  Some  particular 
strands  in  this  space  are  called  primary  strands,  imply¬ 
ing  the  primary  protocol  under  consideration  and  sec¬ 
ondary  strands,  consisting  of  all  the  remaining  proto¬ 
cols.  Set  of  facts  I  £  Fact  is  unserved  in  a  strand  space 
E  if  an  entry  point  for  I  does  not  lie  on  a  secondary 
strand.  Similarly  I  is  strongly  unserved  in  E  if  no  ele¬ 
ment  in  I  ever  originates  on  a  secondary  strand. 

We  will  now  present  our  method  to  analyze  protocols 
for  guessing  attacks  using  this  framework  and  illustrate 
it  on  an  example.  The  basic  idea  for  the  method  is 
derived  from  [10]  where  Guttman  uses  the  concept  of 
identifying  the  unintended  services  by  honest  agents  to 
find  attack  scenarios.  The  method  we  give  below  is  such 
a  practical  recipe  for  an  informal  analysis. 

Firstly,  we  denote  =  as  a  binary  relation  on  facts  that 
returns  true  if  there  is  a  match  between  two  facts  and 
a  false  otherwise.  Also,  we  define  some  more  sets  of 
facts,  classified  into: 

1.  Facts  that  can  be  guessed  (as  set  G); 

2.  Facts  that  can  be  derived  by  the  penetrator  P  in 
all  possible  roles  and  combinations  (as  set  D); 

3.  Facts  that  can  be  verified  (as  set  V). 

eg-  {na}PaSswd(a)  can  be  compared  with 
{na,nb}passwd(a,b)  by  guessing  passwd(a,b) 

and3  doing  na  =  (n0,n&)i; 

4.  Facts  that  can  be  constructed  (as  set  C)  -These  are 
typically  those  that  the  penetrator  can  construct 
using  his  knowledge  and  derived  knowledge  (D  and 
facts  obtained  by  guessing,  0). 

Firstly,  we  identify  all  unintended  services  offered  by 
honest  agents  that  increase  the  penetrator  knowledge 
and  capability.  Then,  we  will  list  out  the  initial  pene¬ 
trator  knowledge  in  terms  of  facts  that  he  knows  and  use 
the  unintended  services  to  derive  all  possible  facts  that 
he  can  derive — For  this,  we  consider  all  possible  roles 
that  a  penetrator  can  play.  Then,  we  will  use  set  G  to 
enumerate  the  facts  that  he  can  obtain  corresponding 
to  decrypting  facts  using  guesses  in  place  of  G  (set  0). 
Finally,  we  will  list  out  all  possible  verification  attempts 
using  V  to  verify  a  guess  and  all  possible  facts  that  can 

3Recall  that  subscripts  “1”  and  “2”  return  the  first  and  second 
elements  respectively  from  a  fact  with  two  elements. 


be  constructed  using  the  updated  penetrator  knowledge, 
similar  to  the  form  of  any  recorded  messages — which 
again  would  verify  a  guess. 

Now  consider  the  following  “demonstration  protocol” 
presented  by  Gong  et.  al  [9]: 


Msg  1. 

a  - 

b 

:  {a,  b ,  nal,  na2,  ca,  {ta}Ka}Ks 

Msg  2. 

s  - 

->  b  : 

a,  b 

Msg  3. 

b  - 

->  s  : 

{a,  6,  n&l,  nb2,  cb,  {tb}Kb}Ks 

Msg  4. 

s  - 

->  a 

:  {nal,  na 2  ®  k}xa 

Msg  5. 

s  - 

■+  b  : 

{nbl,  nb2  ®  k}xb 

Msg  6. 

a  - 

->  b 

{ra}k 

Msg  7. 

b  - 

->  a 

{fl{ra),rb}k 

Msg  8. 

a  - 

-4  b 

{/2  (rb)}k 

Lowe  [15]  analyzed  this  protocol  and  found  no  attacks. 
To  illustrate  our  method,  let  us  assume  that  the  server 
cannot  detect  replays. 

Let  init,  resp  and  serv  denote  the  regular  strands 
of  a,  b  and  s  in  the  protocol.  We  will  remove  lot 
of  redundant  steps  in  the  illustration  because  of 
the  obvious  symmetry  visible  in  the  protocol  steps — 
a  and  b  have  the  same  message  formats  in  four  messages. 

Step  1.  We  first  identify  the  unintended  services 
provided  by  serv:  From  the  protocol  it  is  evident 
that  messages  1  and  3  are  “junk”,  i.e.  any  one  can 
replay  them  spoofing  as  a  or  b  (provided  that  the 
server  cannot  detect  those  replays  which  was  part  of 
our  initial  assumptions).  Hence,  strand  serv  gives 
a  message  {nal,na2  ®  k}passwd(a)  each  time  with  a 
different  key  for  each  of  such  replays. 

Step  2.  The  facts  that  can  be  guessed  (presumably, 
poorly  chosen  secrets)  in  this  protocol  are:  passwd(a) 
and  passwd(b). 

Step  3.  The  facts  initially  known  to  P  (Mp  U  Kp)  are: 
a,  6,  s,  Ks,  {a,b1nal,na2,ca,{ta}xa}xs, 
{b,a,nbl,nb2,cb,{tb}Kb}Ks,  {nal,na2  ®  k}Ka, 
{nbl,nb2  ®  k}Kb,  { ra}k ,  {fl(ra),rb}k,  and  {f2(rb)}k. 

Step  4.  We  will  now  enumerate  all  derivable  facts  (set 
D)  by  considering  all  possible  interactions  of  P:  ( a,b ), 
(Pa,  b),  ( a,P ),  (Pa,P).  (Here  Pa  represents  P  mas¬ 
querading  as  a).  We  do  not  need  to  consider  the  re¬ 
maining  possiblities  because  of  the  symmetry  in  the 
protocol.  From  combinations  (a,  b)  and  (Pa,  P)  and 
since  sserv  gives  two  instances  of  {nal,  na2®k}Ka  (from 
step  1  above  on  unintended  services),  P  can  now  have, 
{nal,  na2  ®  k}Ka  and  {nal,  na2  ®  k'}Ka  (with  k  ^  k'). 

We  leave  it  to  the  reader  to  check  the  remaining 
combinations  to  make  sure  that  no  useful  terms  can  be 
derived. 

Step  5.  We  now  derive  all  possible  facts  ob¬ 
tainable  by  using  elements  in  set  G:  These  are, 
(nal,  na2  ®  k),  (nbl,  nb2  ®  k).  Also,  the  penetrator  can 
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obtain  no2,  since  in  combination  (a,  P )  of  st 
knows  k  and  hence  obtains  na  from  na2  ©  k. 

Step  6.  We  now  consider  the  set  V  (verifiabl 
From  step  4  using  set  D,  P  can  compare  rial 
{nal,  nal  0  k}passwd( o)  and  {nal,  nci2  0  k'}pass 
guessing  passwd(a)  and  decrypting  both.  i.e. 
the  guess,  he  can  do,  ({{?ral,  na2  0  k}passwd(a) } 
({{nal,  TLd 2  0  k  } passwd(a){ g-1  )l 


Step  7.  We  will  now  show  how  we  uncover  anc 
tack  on  this  protocol  and  the  importance  of  the 
and  cb.  We  will  try  to  find  the  facts  that  P  ca 
construct  using  his  knowledge  that  he  obtaine< 
previous  steps  and  in  the  format  of  some  recorc 
sages.  Firstly,  remove  ca  from  message  1.  The  remain¬ 
ing  part  of  this  message  contains,  a,b,nal,na2,  which 
are  known  to  the  penetrator  (nal  and  na2  from  step  5). 
Time  stamp  ts  is  arbitrary  and  hence  he  can  encrypt  it 
with  his  guess  which  he  previously  used  to  decrypt  mes¬ 
sage  4  in  step  5.  He  can  now  combine  all  these  fields, 
encrypt  with  Ks  (which  is  a  public  key  and  hence  G  Kp) 
to  construct  a  message  of  the  form  of  message  1  and 
compare  it  with  the  actual  recorded  value. 

It  is  here  that  the  importance  of  ca  would  be  perceiv¬ 
able.  Observe  that  P  could  not  derive  it  using  any  of 
the  previous  steps.  Hence,  if  ca  is  present  inside  mes¬ 
sage  1,  it  thwarts  a  guessing  attack  by  preventing  P 
from  constructing  a  similar  message  to  verify  the  guess 
.  Similarly,  the  case  for  cb. 

4.  Mixing  EKE 

In  this  section  we  will  use  the  procedure  we  developed 
in  the  previous  section  on  the  EKE  protocol,  which  we 
showed  to  be  vulnerable  to  multi-protocol  guessing  at¬ 
tacks  in  section  2.  The  analysis  would  help  in  deriving 
rules  about  some  “criticial”  messages  which  would  be 
then  framed  within  the  strand  space  model  to  prove  the 
correctness  of  EKE  protocol  in  a  mixed  environment, 
when  the  rules  are  followed. 

Figure  1  represents  the  EKE  protocol. 


{nbJk 


Figure  1:  Message  Exchange  in  EKE  protocol 


no  other  possible  derivations). 

Step  5.  Facts  obtained  by  guessing: 

0  =  { PKa ,  {k}pKa}- 

Step  6.  Verifiable  facts  (V):  V  =  0; 

However,  from  steps  4  and  5,  P  can  do  (with  guess  g), 

Pka  {{pka}passwd(a,b)  }(?-1  • 

Step  7.  Constructible  facts:  C  =  0.  Since  none  of  the 
terms  in  Mp  U  D U  0  can  be  used  to  construct  a  recorded 
value  for  verification. 

From  the  results  in  the  procedure,  and  in  particular, 
steps  6  and  7,  it  is  evident  that,  the  protocol  remains 
secure  as  long  as, 

1.  pka  is  never  obtainable  from  a  secondary  strand  (i.e. 
using  any  secondary  strand  s,  pka  /,  V/  €  D,  D 
obtained  from  s). 

2.  No  term  encrypted  with  pva(=  pkf1)  should  be  ob¬ 
tainable  as  well. 

3.  No  term  encrypted  with  PK„  should  be  verifiable 
d  DUMp). 

We  will  now  represent  these  conditions  in  a  mixed 
strand  space  reflecting  EKE  protocol  as  a  “primary” 
protocol  and  all  others  as  secondary  protocols. 


Step  1.  The  unintended  services  here  are  only  that  of 
agent  6’s.  —  corresponding  to  {pk}passwd^b),  b  gives, 

{{k{pk{passwd(a,b)  ■ 


Step  2.  G  =  {passwd(a,b)}. 


Definition  4.  Let  E  be  a  strand  space. 

1.  Init [pka,passwd(a,b),  k,na,nb\  is  the  set  of  strands 
in  E  whose  trace  is 

( +{pk  a{passwd{a.b)  >  {{^}pfc}passwd(a,b)  5  0{na}fc, 

-  { na,nb}k,+{nb}k ) 


Step  3.  Mp  {{pka}passwd(a,b)  5  {{k{pk{  passwd(a,b)  ? 

{na}k,  {na,  nb}k,  {nb}k}. 

Step  4.  Possible  interactions:  (a,  b),  ( a,P ),  ( a,Pb ), 
(P,b),  ( Pa,b ).  From  (a,  P),  P  can  obtain  PK'a.  Hence 
D  =  {PA”))}.  (Again  we  leave  it  to  the  reader  to  check 
all  the  remaining  combinations  to  verify  that  there  are 


E init  is  the  union  of  the  range  of  Init. 

2.  Resp [pk,passwd(a,  b ),  k,  na,  nb\  is  the  set  of  strands 
in  E  whose  trace  is 

( ~{pk  a{passwd{a.b )  7  5  {na{ fc, 

+  {na,nb}k,  -{ nb}k ) 

E reSp  is  the  union  of  the  range  of  Resp. 
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Also,  T,init,T,resp  are  pairwise  disjoint  and  form  the 
primary  strands  in  £,  denoted  as  £p  (=  £jnjt  U  £resp). 
Rest  of  the  strands  in  £  are  secondary  strands  and  are 
represented  as  £  \  £p  (\  is  the  set  difference  operator). 

The  following  definition  defines  the  required  sets  of 
items  that  we  would  need  to  define  the  rules  that  we 
derived  above. 

Definition  5.  Let  l_o  and  Id  be  defined  such  that , 

•  Lo  denotes  the  set  of  all  terms  such  that  Mpk  € 
PK,  3/  G  MP  U  D  U  o',  pk  C  /. 

•  Id  =  /k[D]  with  k  =  PVa  U  PKa 

We  will  now  model  the  conditions  we  derived  using 
the  procedure  above,  within  the  strand  space  frame¬ 
work.  Our  main  theorem  states  that  a  mixed  protocol 
environment  containing  the  EKE  protocol  as  the  pri¬ 
mary  protocol  is  secure  against  multi-protocol  guessing 
attacks  as  long  as  the  strand  space  respects  those  con¬ 
ditions: 

Theorem  1 .  Let  £  represent  a  mixed  strand  space  with 
the  EKE  protocol  representing  the  primary  strands.  Let 
C  he  a  bundle  in  £.  Then,  no  guessing  attacks  can 
succeed  in  C  if: 

1.  PKa  is  unserved  in  £. 

2.  Id  is  strongly  unserved  in  £. 

Proof.  We  will  do  a  case  analysis.  Firstly,  observe  from 
our  procedure  that,  a  guessing  attack  is  feasible  if, 
either  verification  using  set  V  (step  6)  or  set  C  (step  7) 
is  successful.  Hence,  we  will  consider  those  sets  and  use 
the  above  conditions  to  prove  that  the  sets  will  always 
be  null  under  those  conditions. 

Part  1.  PKa  is  unserved.  From  step  5,  verification  of 
any  g  &  G  is  possible,  if  (DU  MpU  Kp)  n  0^0.  In  this 
case,  from  the  our  analysis,  (DUMPUKP)nO  =  {pka} 
Iff  pha  =  pk'a.  However,  according  to  condition  1  in  the 
theorem,  PKa  is  unserved  in  £.  i.e. ,  If  pka  originates 
in  (£init  U  T,resp)  then  Mpk'a  originating  in  £  \  £P, 
pka  7^  pk^  Hence,  (DUMPU  KP) 

Part  2.  Again  observe  that,  for  verification,  pka  should 
be  verifiable  since  0  =  { pka ,  {k}pka}  and  k  ^  (DUMPU 
KP).  The  procedure  demonstrated  that,  pka  is  not  veri¬ 
fiable  in  £p.  And  part  1,  demonstrated  that  pka  is  not 
verifiable  in  £  if,  pka  is  unserved  in  £. 

A  verification  is  still  possible,  if  /  encrypted  with  pka 
or  pkf1  is  verifiable  and  £  £  \  £p.  However,  in  con¬ 
tradiction,  condition  2  requires  that,  Id,  (all  verifiable 
terms  encrypted  with  pka  or  pva  from  definition  5),  is 
strongly  unserved  in  £.  Or  no  such  term  ever  originates 
on  a  secondary  strand  as  well.  Hence,  a  verification  at¬ 
tempt  is  infeasible  as  long  as  the  condition  holds. 

□ 


5.  Conclusion 

In  this  paper  we  have  introduced  new  types  of  attacks 
called  multi-protocol  guessing  attacks,  on  protocols  us¬ 
ing  weak  secrets.  We  have  developed  a  systematic  proce¬ 
dure  to  derive  some  conditions  that  would  prevent  these 
attacks.  We  then  proved  that — as  long  as  these  con¬ 
ditions  are  satisifed — a  protocol  can  never  be  attacked 
through  multi-protocol  guessing  attacks. 

Some  points  are  worth  mentioning  here.  Our  pro¬ 
cedure  to  analyze  protocols  is  stronger  than  Gong  et. 
al’s  [9]  since  we  consider  all  obtainable  knowledge  sets 
by  the  penetrator,  as  Lowe  [15]  does,  whereas  Gong 
et.  al  consider  only  fixed  penetrator  knowledge.  The 
uniqueness  in  the  procedure  is  that,  it  allows  to  pin 
point  the  exact  kind  of  vulnerabilities  that  a  protocol 
might  present  in  terms  of  especially  when  operating  in 
a  mixed  environment.  By  determining  the  conditions 
that  prohibit  any  new  vulnerabilities  that  can  possibly 
arise,  a  more  concrete  designing  of  protocols  is  possible. 

One  immediate  extension  of  this  work  is  related  to  au¬ 
tomating  the  procedure  we  have  used  to  detect  possible 
guessing  attacks.  Another  possible  extension  would  be 
to  find  out  techniques  of  general  applicability  to  prevent 
multi-protocol  guessing  attacks,  as  in  [11].  It  wou 
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